Are not necessarily an enemy of your company. In fact, they may not know or care who you are. If there is nothing of interest on your system then it will be used as an attack platform to reach other systems.

Things of greatest interest are:

Unrestricted Internet access

Unrestricted ability to make outgoing telephone calls

Any interesting security systems, source code or information

LESSONS LEARNED:

Make your system uninteresting. Blend in with the crowd. Never allow public accounts.

Make your system hard to crack. Maybe they will go look for an easier to crack system.

Remove the benefits of cracking your system

No in house connections - No outgoing modems - No outgoing Telnet, ftp, etc.....

Many hackers are single, teenage males with high IQ and social problems. While many people watch Television, they play with computers. If they trust you, they can be friendly and will happily tell you how they cracked your system. It's "bragging" rights.

Companies can utilize this type of hacker to strengthen their defenses against corporate and national industrial espionage. The usual cost is a few pizzas and old equipment.

Do not give them free access to your system or offices. Never fully trust them!

This is a STREET SMART way of handling your systems but requires people, technical skills and some risk that you may not want to commit.

If you do choose to use this method. Be very aware of what you are doing. Choose who will be your interface very very carefully. I can't stress this point enough. This can be a managed risk but only if you use the correct people.

Hackers in the wild are a mixed bag. They are as different as everyone else and some are dangerous.

When using this type of hacker, one approach is to attend a meeting and listen. Tell them why you are there and never lie. Treat them like nervous people.

Read their magazines, printed and on-line. Don't trust everything you read in the on-line editions.

Use their BBS systems.

One of the benefits of using Hackers as an unofficial support team is that it is like building resistance to poison. You can take small amounts so that you survive over a long period of time and built resistance to a full scale attack. Think of Hackers as a Hostile Test Team. A concept that many of us are already comfortable with.

In fact, your hackers, may even defend you against outsiders if they view it as an attack against one of their allies.

There are Computer Security Consultants who can do everything that the hackers do. They won't work for pizza, but they can be trusted.

There are also Hackers for Hire. Some have been caught, convicted and reformed. They should be trustworthy.

Using Hackers and Consultants for hire is easier to sell to your upper management, but costs real money. The risk is very low but you have to work hard to find a consultant that is well matched to your needs. Don't be afraid to demand results.

Over 1.2 million computer penetrations were reported in 1992. (Internet World February 1995)

Doing the math, I arrived at: 2,340,000 break-ins (1,200,000 X 1.97)

Look at that number! It's over 2 MILLION break-ins per year! Are you one of them? Can you tell? Most people suffer the results of a break-in and never know it. Their data is compromised, their processes may be trojaned and the company directors may be at legal risk for not taking reasonable precautions.

When practiced by foreign governments the goals can be harder to understand, especially for North Americans who have a tradition of trusting their governments and hold privacy as "a right"

Steal information from their own industry. This is a great deal! No one is going to sue a national government. They create jobs and improve their economy without large R&D expenditures by stealing your research.

Military.

(Not the subject of this presentation)

Ignore this at your own risk! Foreign governments are well funded, well trained, determined and can be protected by diplomatic immunity. If they are attacking you over the Internet they may not even be breaking the law.

A problem that has attracted far too little attention to date is that of industrial espionage committed by or with the assistance of foreign intelligence services.

I am not going to suggest that foreign industrial espionage is the greatest difficulty American industry faces in seeking to succeed in the global market. But it is a real problem that costs the U.S. economy billions of dollars annually and appears to be growing rapidly.

While much industrial espionage is solely the work of private firms, in many cases foreign governments assist or even direct economic spying activities. French intelligence has long engaged in large-scale industrial espionage programs, penetrating foreign businesses, intercepting their telecommunications, and conducting a reported 10 to 15 break-ins each day at Parisian hotels to copy documents business people have left in their rooms. The information acquired is passed on to French industry. (Senator Cohen)

The governments of Japan, Germany, Belgium, the Netherlands, and other allies, as well as such countries as China, are also reported to spy on behalf of their countries' industry. (Senator Cohen)

This is the threat that can destroy your company, your national industry and your job opportunities. Consider the American semi-conductor, television and appliance industries. These attacks are not limited against United States companies. Any where there is an illicit gain to be made some one will attempt it. Ask foreign affiliates about their company security policies.

There is a cost in capital assets and manpower in ensuring information security.

IS IT WORTH THE COST?

The answer has to be based upon the following factors:

How common are attacks?

What is the direct cost of what I am protecting?

What are the indirect costs of what I am protecting?

What are the intangible costs?

2) The data cost $100,000 to collect and process3) The loss or damage to the data could put the company 6 months behind schedule costing you the loss of customer support.4) Your competitor gains part of your market share. 60 Minutes shows up at your office.

Dain Gary, manager of the Computer Emergency Response Team, reports that his group logs three to four security breaches on the Internet each day. In 1993 there were 773 reported intrusions. I don't have the 1994 numbers, however, Gary expected a 50% increase over the 1993 number. The real numbers are probably even higher. (Internet World, February 1995)

It has been reasonably estimated that on a national basis, the cost of security packages sold to commercial ventures exceeds the total cost of all losses due to break-ins or software attacks.

The problem is that the losses are spread across a small group who shoulder the entire burden while the cost of security packages are spread nationally. Of course the losses would be astronomical if no one had purchased any security packages.

If your system is "interesting" or you have low security, then you increase your risk.

The security risk and its cost can be likened to major medical insurance. Everyone complains about the cost but everyone who can afford it has it because while the risk of a major medical incident is low, the cost to the individual is very high.

No one wants to pay for life insurance until after they die. Buying security products is like buying insurance. It spreads your risk across all available systems by making your site less attractive.

This analogy works even better if you consider medical insurance and cancer treatment.

Do not connect your company network to the Internet unless you use a fire wall AND routers to protect it. Many salesmen try to sell routers as fire walls. Routers are not fire walls! TCP/IP can be tunnelled. Read the following papers:

TCP/IP Source Routing tells routers how to route a packet. This can be used to attack your system. Routers should be programmed to ignore routing instructions.

IP packets can be fragmented in order to move between different frame sizes. (FDDI to Ethernet) Fragmented packets can be taken over by an attacker. Nothing keeps someone from setting up their system with your IP address. Do you use rhosts?

If you were told to trust everyone on a list with the money in your pocket and you didn't have a way of really knowing if someone that tells you they are someone on the list is really the person listed, would you trust them? This sounds ridiculous, but computers do it every day using the dot-rhosts option. Dot-rhosts tells your system to trust other systems but there is no real authentication unless you install a package to do so.

Everything on a Broadcast network (TCP/IP) can be intercepted and read by anyone on the path. This includes your userid/password combination.

Any workstation or PC can be configured to read the network.

Does your network configuration consider data pathing?

Messages can be injected or altered.

Physical eavesdropping is easy and more common than you think.

Bullet 1 - The passwords are transmitted in the clear.

Bullet 2 - Or use a sniffer, etc....

Bullet 3 - What is the smallest physical path between two points? What physical path is the most secure and has the least number of computers on it? This not only improves security but increases effective bandwidth of the network by subnetting

Security tools like COPS and Crack are often used by hackers to probe for holes.

The /etc/passwd and /etc/group files are almost always stolen for off-line processing.

The "find" command can be used to look for sticky bit set files that can be used by an attacker. For example, if a file is found, owned by root with the sticky bit set, a copy of "/bin/sh" can be copied to it and then executed as roo.

Bullet 1 - You can also reverse the hacker's tools and use them for your benefit.

Bullet 2 - Unless you use shadow passwords or a hand held authentication device.

Bullet 3 - I usually find hundreds of these files on a network, many of them unprotected at permission level 777.

If you know what the hackers know, you can protect yourself better. If you can't learn what the hackers know, then find someone who can. Security software packages are "canned" knowledge. You are not secure!